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^J , The approach to reasoning about structural operational semantics style specifications supported by the 

. , Abella system is discussed. This approach uses A-tree syntax to treat object language binding and encodes 

C^ , binding related properties in generic judgments. Further, object language specifications are embedded 

^ ^ directly into the reasoning framework through recursive definitions. The treatment of binding via generic 

judgments implicitly enforces distinctness and atomicity in the names used for bound variables. These 

properties must, however, be made explicit in reasoning tasks. This objective can be achieved by allowing 

recursive definitions to also specify generic properties of atomic predicates. The utility of these various 

logical features in the Abella system is demonstrated through actual reasoning tasks. Brief comparisons 

^ ' with a few other logic based approaches are also made. 



Abstract 



1 Introduction 

QQ ■ This paper concerns reasoning about the descriptions of systems that manipulate 

^^ . formal objects such as programs and their specifications. A common approach to 

modelling the dynamic and static semantics of these systems is to use a syntax- 
driven rule-based presentation. These presentations can be naturally encoded as 
theories within a simple, intuitionistic logic. If the intuitionistic logic supports 
A-terms and the quantification of variables ranging over such terms, then it also 
provides a convenient means for capturing binding notions in the syntactic objects 
of interest; in particular, it facilitates the use of the A-tree approach to abstract 
syntax. A further benefit to using such a logic to encode semantic specifications is 
that an immediate and effective animation of them is provided by logic programming 
systems such as AProlog [NM88] and Twelf [PS99]. 

Given a logic-based specification of a formal system, establishing properties of 
the system reduces to answering questions about what is provable in the logic en- 
coding the specification. Different approaches can be adopted for this task. At one 
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end, the specification logic can be formalized and reasoned about within a general 
purpose theorem-proving framework such as that provided by Coq [BC04] or Is- 
abelle [NPW02]. At the other end, one can develop another logic, often called a 
meta-logic, that is explicitly tuned to reasoning about the specification logic. It is 
the latter approach that we examine here. In particular, we expose its practical use 
within the context of a specific theorem-proving system called Abella [Gac08]. 

The design of a logic that can act as a powerful and expressive meta-logic has 
been the subject of much recent research [BGM+07,GMN08,MM02,MT05,Tiu06]. 
The logics emanating from these studies share a common theme: they all provide 
recursive definitions as a means for encoding specification logics and some form of 
generic reasoning for modelling binding notions at the meta level. We expose here 
an expressive and flexible logic called G within this framework. Abella is based on 
Q but also provides special support for the ways in which Q is intended to be used 
in meta-reasoning tasks. Our presentation pays attention to the novel features of 
both G and Abella from this perspective. Concreteness is provided by considering 
proofs of evaluation, typing, and normalization properties of the A-calculus. 

This paper is organized as follows. The logic Q is summarized in Section 2 and 
its particular realization in Abella is discussed in Section 3. Section 4 illustrates 
the use of Abella in a significant theorem-proving task, that of formalizing a Tait- 
style proof of normalizability in the A-calculus. Section 5 points out limitations of 
the currently implemented system. Finally, in Section 6 we compare Abella-style 
reasoning with some other approaches to the same kind of reasoning tasks. 

2 The Logical Foundation 

The logic Q [GMN08] which we use to formalize arguments about structural oper- 
ational semantics is based on an intuitionistic and predicative subset of Church's 
Simple Theory of Types. Terms in Q are monomorphically typed and are con- 
structed using abstraction and application from constants and (bound) variables. 
The provability relation concerns terms of the distinguished type o that are also 
called formulas. Logic is introduced by including special constants representing the 
propositional connectives T, _L, A, V, D and, for every type r that does not con- 
tain o, the constants V,- and 3^- of type {t ^> o) ^^ o. The binary propositional 
connectives are written as usual in infix form and the expression MrX.B (3rX.B) ab- 
breviates the formula Mr^x.B (respectively, ^r^x.B). Type subscripts are typically 
omitted from quantified formulas when their identities do not aid the discussion. 

The standard treatment of the universal quantifier accords it an extensional 
interpretation. When treating A-tree syntax it is often necessary to give importance 
to the form of the argument for a statement like "-B(a;) holds for all x" rather than 
focusing on whether or not every instance of B{x) is true. The V quantifier [MT05] 
is used to encode such generic judgments. Specifically, we include the constants 
Vt- of type {t ^f 6) ^> o for each type r (not containing o). As with the other 
quantifiers, Vt-x.B abbreviates VtAx.S. 

The FOX logic [MT05] incorporates V quantification into a sequent calculus 
presentation of intuitionistic proof by attaching a local signature to every formula 
occurrence in a sequent. We are interested here in considering also proofs that use 
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TT.B = tt'.B'_ . , S:rh.B S:g,AhC 



j::T,BhB' E:r,AhC 

S,/C,(:Ki:T T,:T,B[t/x]hC T.,h : T h B[h c/x] 

S:r,v^x.Bhc ^'^ sTTFvZb ^^' ^ ^ ^ 

S:r,Vx.iJhC7 ^^' " ^ ^^PP(^) s:rhvx.ij ^^' " ^ ^^PP(^) 

S:r,3x.5hC 3^^' ^ ^ ^ S : r h B^x.B ^'^ 

Fig. 1. The core rules of Q: the introduction rules for the propositional connectives arc not displayed. 

induction. In this situation, we are led naturally to including certain structural rules 
pertaining to local signatures [Tiu06]. Written at the level of formulas, these are 
the V -exchange rule VxVy.F = VyVx.F and the V -strengthening rule \7x.F = F, 
provided x is not free in F. If we adopt these rules, we can make all local signatures 
equal and hence representable by an (implicit) global binder. We shall refer to 
these globally V-bound variables as nominal constants. Intuitively, one can think 
of nominal constants as denoting arbitrary, unique names. Notice that the exchange 
rule requires us to consider atomic judgments as being identical if they differ by only 
permutations of nominal constants. 

The logic G uses the above treatment of the V quantifier that was first introduced 
in the LG^ system [Tiu06] . Specifically, an infinite collection of nominal constants 
are assumed for each type. The set of all nominal constants is denoted by C. These 
constants are distinct from the collection of usual, non-nominal constants denoted 
by /C. We define the support of a term (or formula) t, written supp(t), as the set of 
nominal constants appearing in it. A permutation of nominal constants is a type 
preserving bijection vr from C to C such that {x \ tt(x) 7^ x} is finite. Permutations 
are extended to terms (and formulas), written vr.t, as follows: 

vr.a = 7r(a), if a G C tt.c = c if c ^ C is atomic 

7r.(Ax.M) = Ax.(7r.M) 7r.(M A^) = (vr.M) (vr.iV) 

Figure 1 presents a subset of the core rules for Q; the standard rules for the 
propositional connectives have been omitted for brevity. Sequents in this logic have 
the form S : T h C where T is a set and the signature T, contains all the free 
variables of T and C. In the rules, T, F denotes T U {F}. In the VC and V7^ rules, 
a denotes a nominal constant of appropriate type. In the 3C and V7^ rules, c is a 
listing of the variables in supp(i?) and h c represents the application of h to these 
constants; raising is used here to encode the dependency of the quantified variable 
on supp(i?) [Mil92]. The judgment S,/C,C h i : r that appears in the V£ and 37?. 
rules enforces the requirement that the expression t instantiating the quantifier in 
the rule is a well-formed term of type r constructed from the variables in E and the 
constants in ICuC. 

Atomic judgments in Q are defined recursively by a set of clauses of the form 
yx.CVz.H) = B: here H is an atomic formula all of whose free variables are con- 
tained in either j; or in z and B is an arbitrary formula all of whose free variables 
are also free in Vz.H. The atom H is the head of such a clause and B is its body. 
No nominal constant is permitted to appear in either of these formulas. A clause of 
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Fig. 2. Rules for definitions 

this form provides part of the definition of a relation named by H using B. The V 
quantifiers over H may be instantiated by distinct nominal constants. The variables 
X that are bound by the V quantifiers may be instantiated by terms that depend on 
any nominal constant except those chosen for the variables in z. 

Certain auxiliary notions are needed in formalizing the rules for definitions in 
Q. A substitution is a type-preserving mapping from variables to terms such that 
the set {x \ xO ^ x}, the domain of 0, is finite. A substitution is extended to a 
function from terms to terms in the usual fashion and we write its application using 
a postfix notation. If F is a set of formulas then TO is the set {JO \ J S F}. If S is a 
signature then S0 is the signature that results from removing from S the variables 
in the domain of and adding the variables that are free in the range of 0. Given 
a clause Vxi, . . . , Xn.CVz.H) = B, we define a version of it raised over the nominal 
constants a and away from a signature T, as 

\/Ji.{Vz.H[hi a/xi, ... ,hn a/xn]) = B[hi a/xi, ... ,hn a/xn], 

where hi, . . . ,hn are distinct variables of suitable type that do not appear in S. 
Finally, given the sequent S : F h C and the nominal constants c that do not 
appear in the support of F or C, let a be any substitution of the form 

{h' c/h I /i E S and h' is a variable of suitable type that is not in S}. 

Then we call the sequent T,a : Ta h Ca a version of S : F h C raised over c. 

The introduction rules for atomic judgments based on definitions are presented 
in Figure 2. The defjC rule has a set of premises that is generated by considering 
each definitional clause of the form \/x.{\/z.H) = B in the following fashion. Let c 
be a list of distinct nominal constants equal in length to z such that none of these 
constants appear in the support of F, ^ or C and let S' : A' , F' h C denote a version 
of the lower sequent raised over c. Further, let H' and B' be obtained by taking the 
head and body of a version of the clause being considered raised over a = supp(^) 
and away from T,' and applying the substitution [c/z] to them. Then the set of 
premises arising from this clause are obtained by considering all permutations vr 
of ac and all substitutions such that {tt.H')0 = A'O, with the proviso that the 
range of may not contain any nominal constants. The defJZ rule, by contrast, has 
exactly one premise that is obtained by using any one definitional clause. B' and H' 
are generated from this clause as in the def£, case, but vr is now taken to be any one 
permutation of ac and is taken to be any one substitution such that (tt.H')O = A' , 
again with the proviso that the range of may not contain any nominal constants. 

Some of the expressiveness arising from the quantificational structure permitted 
in definitions in Q is demonstrated by the following definitional clauses: 

(Vx.name x) = T \/E.{\/x. fresh x E) = T 

The V quantifier in the first clause ensures that name holds only for nominal con- 
stants. Similarly, the relative scopes of V and V in the second clause force fresh to 
hold only between a nominal constant and a term not containing that constant. 
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When Q is used in applications, bound variables in syntactic objects will be rep- 
resented either explicitly, by term-level, A-bound variables, or implicitly, by nominal 
constants. The equivariance principle for nominal constants realizes alpha convert- 
ibility in the latter situation. Encoding bound variables by A-terms ensures that 
substitution is built-in and that dependencies of subterms on bindings is controlled; 
specific dependencies can be realized by using the device of raising. Definitions with 
V in the head allow for a similar control over dependencies pertaining to nominal 
constants and raising can be used to similar effect with these as well. 

The consistency of G requires some kind of stratification condition to govern the 
possible negative uses of predicates in the body of definitions. There are several 
choices for such a condition. Rather than picking one in an a priori fashion, we will 
note relevant such conditions as needed. 

The final capability of interest is induction over natural numbers. These numbers 
are encoded in Q using the type nt and the constructors z : nt and s : nt ^ nt. 
Use of induction is controlled by the distinguished predicate nat : nt ^ o which is 
treated by specific introduction rules. In particular, the left introduction rule for 
nat corresponds to natural number induction. 

3 The Architecture of Abella 

Abella is an interactive theorem prover for the logic Q. The structure of Abella 
is infiuenced considerably by a two-level logic approach to specifying and reason- 
ing about computations. There is a logic — the intuitionistic theory of second-order 
hereditary Harrop formulas that we call hH^ here — that provides a convenient vehi- 
cle for formulating structural, rule-based characterizations of a variety of properties 
such as evaluation and type assignment. An especially useful feature of such en- 
codings is that derivations within this "specification" logic reflect the structure of 
derivations in the object logic. ^ Now, the speciflcation logic can be embedded into 
Q through the medium of definitions. When used in this manner, Q plays the role 
of a reasoning or meta logic: formulas in Q can be used to encapsulate properties 
of derivations in the specification logic and, hence, of computations in the object 
logic. By keeping the correspondences simple, reasoning within Q can be made to 
directly reflect the structure of informal arguments relative to the object logics. 

This two-level logic approach was enunciated by McDowell and Miller already 
in the context of the logic FOX [MM02]. Abella realizes this idea using a richer 
logic that is capable of conveniently encoding more properties of computations. 
As a theorem prover, Abella also builds in particular properties arising out of the 
encoding of the specification logic. We discuss these aspects in more detail below. 

The specification logic The formulas of hH^ are given by the following mutu- 
ally recursive definitions: 

G = A\AdG\ "irX.G |GaG D = A\GZ} D\ \frX.D 

In these definitions, A denotes an atomic formula and r ranges over types of order 
or 1 not containing o. The sequents for which proofs are constructed in hH^ are 



* Since hH^ is a subset of AProlog [NM88], it turns out that such specifications can also be compiled and 
executed eflfectively [NM99]. 
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;Qgp ri-7n:(a— >6) T \- n : a T,x : a\- r : b 



X not in T 



T \- X : a T \- m n : b T \- [Xx : a.r) : {a —>■ b) 

Fig. 3. Rules for relating a A-term to a simple type 

Vm, n, a, b[ofm (arr ab) f\ofn a D of {app m n) b] 
Vr, a, b\ix[of X aDof{r x) b] D of {abs a r) (arr a b)] 

Fig. 4. Second-order hereditary Harrop formulas (hH^) encoding simply typing 

restricted to the form A — > G where A is a set of D-formulas and G is a G-formula. 
For such sequents, provabiHty in intuitionistic logic is completely characterized by 
the more restricted notion of (cut-free) uniform proofs [MNPS91]. In the case of 
hH^ , every sequent in a uniform proof of A — > G is of the form A,£ — > G' for 
some G- formula G' and for some set of atoms C. Thus, during the search for a proof 
of A — > G, the initial context A is global: changes occur only in the set of atoms 
on the left and the goal formula on the right. 

We briefly illustrate the ease with which type assignment for the simply typed 
A-calculus can be encoded in hH^. There are two classes of objects in this domain: 
types and terms. For types we will consider a single base type called i and the arrow 
constructor for forming function types. Terms can be variables x, applications {m n) 
where m and n are terms, and typed abstractions (Ax : a.r) where r is a term and 
a is the type of x. The standard rules for assigning types to terms are given in 
Figure 3. Object-level untyped A-terms and simple types can be encoded in a 
simply typed (meta-level) A-calculus as follows. The simple types are built from 
the two constructors i and arr and terms are built using the two constructors app 
and abs. Here, the constructor ahs takes two arguments: one for the type of the 
variable being abstracted and the other for the actual abstraction. Terms in the 
specification logic contain binding and so there is no need for an explicit constructor 
for variables. Thus, the (object-level) term (A/:i -^ i.{Xx:i.{f x))) can be encoded 
as the meta-level term abs (arr i i) (A/. abs i {Xx.app f x)). 

Given this encoding of the untyped A-calculus and simple types, the inference 
rules of Figure 3 can be specified by the hH'^ formulas in Figure 4 involving the 
binary predicate of. Note that this specification in hH^ does not maintain an explicit 
context for typing assumptions but uses hypothetical judgments instead. Also, the 
explicit side-condition in the rule for typing abstractions is not needed since it is 
captured by the usual proof theory of the universal quantifier in the hH'^ logic. 

Encoding specification logic provability in G The definitional clauses in 
Figure 5 encode hH^ provability in Q. In these and other such clauses in this 
paper, we use the convention that capitalized variables are implicitly universally 
quantified at the head. This encoding of hH^ provability derives from McDowell 
and Miller [MM02]. As described earlier, uniform proofs in hH^ contain sequents 
of the form A, £ — > G where A is a fixed set of L'-formulas and £ is a varying 
set of atomic formulas. Our encoding uses the Q predicate prog to represent the 
D-formulas in A: the D formula \/x.[Gi D ■ ■ ■ D Gn 13 A] is encoded as the clause 
^x.prog A {Gi A • • • A Gn) = T and Vx.A is encoded by the clause Mx.prog Att = T . 

6 
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element N B {B :: L) = T elements j\i\ B (C :: L) = element n B L 

member B L = 3n.nat n A element„ B L 



seqjv L (A) = member A L 
seqtg ]^\ L {B A C) = seq^y L B f\ seq^y L C 
seq(5 N) L {Az:> B) = seq^ {A :: L) B 
sequ AT) L (VS) = Vx.seq^ L (B x) 
sequ N) ^ (^) = 3b. prog Ab A seq^^ L b 
seq(s N) L {A) = prog A tt 



Fig. 5. Second-order hereditary Harrop logic in Q 

Sequents are encoded using the atomic formula (seq^y L G) where L is a list encoding 
the set of atomic formulas C and G encodes the G- formula. The argument A^, 
written as a subscript, encodes the height of the proof tree that is needed in inductive 
arguments. The constructor (•) is used to inject the special type of atom into 
formulas. To simplify notation, we write LIhG for 3n.nat n A seq„ L G. When L is 
nil we write simply IhG. 

Proofs of universally quantified G formulas in hH^ are generic in nature. A 
natural encoding of this (object-level) quantifier in the definition of seq uses a (meta- 
level) V-quantifier. In the case of proving an implication, the atomic assumption 
is maintained in a list (the second argument of seq). The penultimate clause for 
seq implements backchaining over a fixed hH^ specification (stored as prog atomic 
formulas). The matching of atomic judgments to heads of clauses is handled by 
the treatment of definitions in the logic Q, thus the penultimate rule for seq simply 
performs this matching and makes a recursive call on the corresponding clause body. 

With this kind of an encoding, we can now formulate and prove in Q statements 
about what is or is not provable in hH^. Induction over the height of derivations 
may be needed in such arguments and this can be realized via natural number 
induction on n in seq„ L P. Furthermore, the defC rule encodes case analysis in the 
derivation of an atomic goal, leading eventually to a consideration of the different 
ways in which an atomic judgment may have been inferred in the specification logic. 
Abella is designed to hide much of the details of how the seq and prog specifications 
work and to refiect instead the aggregate structure described here. 

Since we have encoded the entire specification logic, we can prove general proper- 
ties about it in G that can then be used in reasoning about particular specifications. 
In Abella, various such specification logic properties can be invoked either automat- 
ically or through the use of tactics. For example, the following property, which is 
provable in Q, states the judgment £\\- g is not affected by permuting, contracting, 
or weakening the context of hypothetical assumptions i. 

V^i,^2,5-(^ill-5') A (Ve.membere^i D member e £2) D (^2 11" 5) 

This property can be applied to any specification judgment that uses hypothetical 
assumptions. Using it with the encoding of typing judgments for the simply typed 
A-calculus, for example, we easily obtain that permuting, contracting, or weakening 
the typing context of a typing judgment does not invalidate that judgment. 

Two additional properties of our specification logic which are useful and prov- 
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able in Q are called the instantiation and cut properties. The instantiation property 
recovers the notion of universal quantification from our representation of the spec- 
ification logic V using V. The exact property is 

V£, g.{Vx.{e x) Ih {g x)) D \/t.{i t) Ih {g t). 

Stated another way, although V quantification cannot be replaced by V quantifi- 
cation in general, it can be replaced in this way when dealing with specification 
judgments. The cut property allows us to remove hypothetical judgments using a 
proof of such judgments. This property is stated as the formula 

Wi, £2, a, g.{h\^ (a)) A {a:: £21^ g)D{hJ2l^9), 

which can be proved in Q: here, £1,^2 denotes the appending of two contexts. As a 
concrete example, we can again take our specification of simply typed A-calculus and 
use the instantiation and cut properties to establish a type substitution property, 
i.e., if ri,x : a\- m : b and T2\~ n : a then ri,r2 l~ m[x := n] : b. 

Encoding properties of specifications in definitions Definitions were used 
above to encode the specification logic and also particular specifications in Q. There 
is another role for definitions in Abella: they can be used also to capture implicit 
properties of a specification that are needed in a reasoning task. As an example, 
consider the encoding of type assignment. Here, the instances of {seqj:^ L G) that 
arise all have L bound to a list of entries of the form {ofx t) where x is a nominal 
constant that is, moreover, different from all other such constants appearing in L. 
Observing these properties is critical to proving the uniqueness of type assignment. 
Towards this end, we may define a predicate cntx via the following clauses: 

cntx nil = T (Vx.cntx {{ofx T) :: L)) = cntx L 

Reasoning within Q, it can now be shown that L in every {seq^ L G) atom whose 
proof is considered always satisfies the property expressed by cntx and, further, if 
L satisfies such a property then the uniqueness of type assignment is guaranteed. 

Induction on definitions The logic Q supports induction only over natural 
numbers. Thus the definitions of element and seq in Figure 5 both make use of 
a natural number argument to provide a target for induction. In Abella, such 
arguments are unnecessary since the system implicitly assigns such an additional 
argument to all definitions. Thus when we refer to induction over a definition we 
mean induction on the implicit natural number argument of that definition. 

4 Example: Normalizability in the Typed A-Calculus 

In order to illustrate the strengths and weaknesses of Abella, we detail in this 
section a proof of normalizability for the call-by-value, simply typed A-calculus 
(sometimes also called "weak normalizability" ) . We follow here the proof presented 
in [Pie02]. Stronger results are possible for the full, simply typed A-calculus, but 
the one at hand suffices to expose the interesting reasoning techniques. The proof 
under consideration is based on Tait's logical relations argument [Tai67] and makes 
use of simultaneous substitutions. 

Figure 6 contains the specification of call-by-value evaluation and of simple typ- 

8 
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Va, r[value (abs a r)] 

Vm, n, m'[step m m' D step {app m n) {app m' n)] 

Vr7i, n, n' [value m A step n n' D step {app m n) {app in n')] 

Va, r, m[value m D step {app {abs a r) m) (r m)] 

\/m[steps m m] Mm, n, p[step m p A steps p n D steps m n] 

type i Va, b[type a A type b D type {arr a b)] 

Va, b, m, n[ofm {arr ab)AofnaDof {app m n) b] 

Va, b,r[type a A Mx[ofx a D of {r x) b] D of {abs a r) {arr a b)] 

Fig. 6. Specification of simply-typed A-calculus 

ing for the A-calculus. Values are recognized by the predicate value. Small-step 
evaluation is defined by step, and a possibly zero length sequence of small steps is 
defined by steps. The predicate type recognizes well-formed types, and of defines 
the typing rules of the calculus. A noteworthy aspect of the specification of the 
of predicate is that it uses the type predicate to ensure that types mentioned in 
abstraction terms are well-formed: a fact used in later arguments. 

The goal of this section is to prove weak normalizability, which we can now state 
formally in our meta-logic as follows: 

VM, A.{ Ih {ofM A)) D 3y.( 1h {steps M V)) A ( Ih (vaiue V)). 

The rest of this section describes definitions and lemmas necessary to prove this 
formula. In general, almost all results in this section have simple proofs based on 
induction, case analysis, applying lemmas, and building results from hypotheses. 
For such proofs, we will omit the details except to note the inductive argument and 
key lemmas used. The full details of this development are available in the software 
distribution of Abella. 

Evaluation and typing Definitions can be used in Abella to introduce useful 
intervening concepts. One such concept is that of halting. We say that a term 
M halts if it evaluates to a value in finitely many steps and we define a predicate 
capturing this notion as follows: 

halts M = 3y.( Ih {steps M V)) A { Ih (vaiue V)). 

An most important property about halting is that it is invariant under evaluation 
steps (both forwards and backwards). Using the abbreviation F = G for {F D 
G) A {G D F), we can state this property formally as 

VM, Af.( Ih {step M N))d {halts M = halts N). 

This result is immediate in the backward direction, i.e., halts N D halts M. In the 
forward direction it requires showing that one step of evaluation is deterministic: 

VM, N, P.{ Ih (step M N)) A { Ih {step M P)) D N = P. 

This formula is proved by induction on the height of the derivation of either one of 
the judgments involving the step predicate. 

A standard result in the A-calculus, which we will need later, is that one step of 
evaluation preserves typing. This is stated formally as 

9 
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\/M, N, A.{\^ {step M N)) A {\^ {of M A)) D {\^{ofN A)). 

The proof of this formula uses induction on the height of the derivation of the 
judgment involving the step predicate. An interesting case in this proof is when 
step M N IS step {app (abs B R) P) {R P) for some B, R, and P, i.e., when 
/3-reduction is performed. Deconstructing the typing judgment 

( Ih (of (app (abs 5 i?) P) A)) 

we can deduce that (Ih {of P B)) and {{of x B) :: nil\\- {of {R x) A)) where x is a 
nominal constant. Here we use the instantiation property of our specification logic 
to replace x with P yielding {{of P B) :: nil\\- {of {R P) A)). Next we apply the cut 
property of our specification logic to deduce ( Ih {of {R P) A)) which is our goal. 

Finally, we note that the contexts which are constructed during the proof of a 
typing judgment always have the form {ofxi oi) ::...:: {of Xn an) '■'■ nil where the 
Xj's are distinct nominal constants and the Oj's are valid types. We introduce the 
following formal definition of cntx to exactly describe such contexts: 

cntx nil = T {Vx.cntx {{of x A) :: L)) = { Ih {type A)) A cntx L 

Note, V in the definition head ensures that the Xj's are distinct nominal constants. 

The logical relation The difficulty with proving weak normalizability directly is 
that the halting property is not closed under application, i.e., halts M and halts N 
does not imply halts {app M N). Instead, we must strengthen the halting property 
to one which includes a notion of closure under application. We define the logical 
relation reduce by induction over the type of a term as follows: 

reduce Mi = ( Ih {of M i)) A halts M 

reduce M {arr A B) = {Ih {of M {arr A B))) A halts M A 

yN.{reduce N Ad reduce {app M N) B) 

Note that reduce is defined with a negative use of itself. Such a usage is permitted 
in Q only if there is a stratification condition that ensures that there are no logical 
cycles in the definition. In this case, the condition to use is obvious: the second 
argument to reduce decreases in size in the recursive use. 
Like halts, the reduce relation is preserved by evaluation: 

VM, N,A.{\^ {step M N))A{h {of M A)) D {reduce M A = reduce N A). 

This formula is proved by induction on the definition of reduce, using the lemmas 
that halts is preserved by evaluation and of is preserved by evaluation. 

Clearly reduce is closed under application and it implies the halting property, 
thus we strengthen our desired weak normalizability result to the following: 

VM, ^.( Ih {ofM A)) D reduce M A. 

In order to prove this formula we will have to induct on the height of the proof 
of the judgment (Ih {of M ^4)). However, when we consider the case that M is 
an abstraction, we will not be able to use the inductive hypothesis on the body of 
M since reduce is defined only on closed terms, i.e., those typeable in the empty 
context. The standard way to deal with this issue is to generalize the desired formula 
to say that if M, a possibly open term, has type A then each closed instantiation 
for all the free variables in M, say A^, satisfies reduce N A. This requires a formal 
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description of simultaneous substitutions that can "close" a term. 

Arbitrary cascading substitutions and freshness Given (Llh {of M A)), i.e., 
an open term and its typing context, we define a process of substituting each free 
variable in M with a value V which satisfies the logical relation for the appropriate 
type. We define this subst relation as follows: 

subst nil M M = T 
(Vx. subst {{ofx A) :: L) {R x) M) = 

3V. reduce V A^{\V {value V)) A subst L {R V) M 

By employing V in the head of the second clause, we are able to use the notion 
of substitution in the meta-logic to directly and succinctly encode substitution in 
the object language. Also note that we are, in fact, defining a process of cascading 
substitutions rather than simultaneous substitutions. Since the substitutions we 
define (using closed terms) do not affect each other, these two notions of substitution 
are equivalent. We will have to prove some part of this formally, of course, which 
in turn requires proving results about the (non)occurrences of nominal constants in 
our judgments. The results in this section are often assumed in informal proofs. 

One consequence of defining cascading substitutions via the notion of substi- 
tution in the meta-logic is that we do not get to specify where substitutions are 
applied in a term. In particular, given an abstraction abs A R we cannot preclude 
the possibility that a substitution for a nominal constant in this term will affect the 
type A. Instead, we must show that well-formed types cannot contain free variables 
which can be formalized as \/A.\/x.{ Ih {type {A x))) D 3B. A = Xy.B. This formula 
essentially states that any well-formed type which possibly depends on a nominal 
constant x must depend on it only in a vacuous way. 

The above result about types assumes that judgments concerning type occur in 
an empty context. Now, such judgments actually enter the picture through uses 
of the specification logic rule for of that deals with the case of abstractions. This 
means that we have to consider judgments involving type that have a context meant 
to be used in judgments involving the of predicate. To use the result we have just 
established, we must show that these contexts can be ignored. We formalize this as 
VL, A. cntx L A {L\\- {type A)) D ( Ih {type A)), a formula that can be proved using 
induction on the proof of the judgment (L Ih {type A)). In the base case we must 
establish VL, A. cntx L A member (type A) L D -L, which is proved by induction on 
the proof of member. 

Another necessary result is that in any provable judgment of the form (L Ih 
{of M A)), any nominal constant (denoting a free variable) in M must also occur 
in L, i.e., 

\/L,R,A.Vx. cntx L A {L\^ {of (R x) (Ax))) D 3M. R = Xy.M 

The proof is by induction on the height of the derivation of the judgment involving 
of. In the base case, we need that an element of a list cannot contain any nominal 
constant which does not occur in the list, i.e., \/L,E.'Vx. member {E x) L Z) 
3F. E = Xy.F. This formula is proved by induction on member. 

We next show that typing judgments produce well-formed types by proving 

\/L,M,A. cntx L A [Lh {of M A)) D (Ih(typeA)). 
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The induction here is on the height of the derivation of the judgment involving of 
and the base case is VL, M, A. cntx L A member {of M A) L Z) {\\- {type A)), which 
is proved by a simple induction on member. 

Given our repertoire of results about the occurrences of nominal constants in 
judgments, we can now prove fundamental properties of arbitrary cascading substi- 
tutions. The first property states that closed terms, those typeable in the empty 
context, are not affected by substitutions, i.e., 

VL, M, N, A. { Ih {ofM A)) A subst L M N D M = N. 

The proof here is by induction on subst which corresponds to induction on the 
length of the list L. The key step within the proof is using the lemma that any 
nominal constant in the judgment (Ih {of M A)) must also be contained in the 
context of that judgment. Since the context is empty in this case, there are no 
nominal constants in M and thus the substitutions from L do not affect it. 

We must show that our cascading substitutions act compositionally on terms in 
the object A-calculus. This is stated formally for application as follows: 

VL, M, N, R. cntx L A subst L {app M N) R D 

3M', N'. R = app M' N' A subst L M M' A subst L N N' . 

This is proved by induction on cntx, which amounts to induction on the length of 
the list L. For abstractions we prove the following, also by induction on cntx: 

VL, M, R, A. cntx L A subst L {abs A M) R A {\\- {type A)) D 

3M'. R = abs AM' A (VF. reduce V Aa{\V {value V)) D 

Vx. subst {{ofx A) :: L) (M x) (M' V)). 

Here we have the additional hypothesis of (Ih {type A)) to ensure that the substi- 
tutions created from L do not affect A. At one point in this proof we have to show 
that the order in which cascading substitutions are applied is irrelevant. The key 
to showing this is realizing that all substitutions are for closed terms. Since closed 
terms cannot contain any nominal constants, substitutions do not affect each other. 
Finally, we must show that cascading substitutions preserve typing. Moreover, 
after applying a full cascading substitution for all the free variables in a term, that 
term should now be typeable in the empty context: 

VL,M,A^,^. cntx L A subst L M N A {L\^ {of M A)) D ( Ih (of A^^)). 

This formula is proved by induction on cntx and by using the instantiation and cut 
properties of our specification logic. 

The final result Using cascading substitutions we can now formalize the gener- 
alization of weak normalizability that we described earlier: given a (possibly open) 
well-typed term, every closed instantiation for it satisfies the logical relation reduce: 

VL, M, N, A. cntx L A (L Ih {of M A)) A subst LM Nd reduce N A. 

The proof of this formula is by induction on the height of the derivation of the 
typing judgment (L Ih {of M A)). The inductive cases are fairly straightforward 
using the compositional properties of cascading substitutions and various results 
about invariance under evaluation. In the base case, we must prove 

VL, M, N, A. cntx L A member {of M A) L A subst L M N D reduce N A, 
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which is done by induction on cntx. Weak norniahzabihty is now a simple corollary 
where we take L to be nil. Thus we have proved VM, A.{ Ih {of M A)) D halts M. 

5 Assessment and Future Work 

The Abella system has been tested with several prototypical examples; details are 
available with the system distribution. These experiments indicate considerable 
promise for the two-level logic based approach in reasoning about formal systems. 
However, the experiments have also revealed some issues with Abella at a practical 
level. We discuss these below and suggest work aimed at addressing them. 

Base case lemmas Every lemma whose proof uses induction on a specification 
logic judgment with a non-empty context requires another lemma to be proved 
for the base case where that judgment follows because it is in the context. This 
creates mundane overhead. The work in these base case lemmas consists of a simple 
induction over the length of the context. Support for richer tactics for induction on 
specification judgments might lead to more user friendly behavior in such cases. 

Types in specifications The specification logic is embedded as an untyped logic 
in Q. This is usually not an issue: specification logic judgments themselves impose 
type restrictions on terms. For example, the typing judgment ofM A holds only if 
M is a A-term. However, sometimes explicit type judgments — such as the judgment 
type for recognizing well-formed simple types — are required in specifications. One 
possibility that is being considered for addressing the typing issue that is of an 
implementation such as Abella automatically generating recognizer predicates based 
on type information. These predicates could then be implicitly attached to all 
declarations of meta-level variables. 

Different specification logics Currently, Abella has built into it exactly one 
specification language (hH^) and exactly one proof system for it (uniform proofs). 
Certain application areas might benefit from having other proof systems for intu- 
itionistic logic available as well as other specification logics. For example, linear logic 
specification languages [HM94,Mil96] can be used to provide declarative specifica- 
tions of the operational semantics of programming languages that contain features 
such as references, exceptions, and concurrency. Thus, McDowell and Miller [MM02] 
presented a seq-like predicate for a subset of intuitionistic linear logic that they used 
to specify the operational semantics of a simple functional language extended with 
references and to then prove a subject-reduction theorem for that language. It 
would be natural to consider extending the specification logic in Abella to be all 
of intuitionistic linear logic (or, in fact, all of linear logic) since this would enhance 
that logic's expressiveness a great deal. Such an extension could be designed so that 
if a given specification did not employ the novel linear logic connectives, then the 
encoding of seq would modularly revert back to that of intuitionistic logic. 

6 Related Work 

Nominal logic approach The Nominal package for Isabelle/HOL automates a 
process of defining and proving standard results about a-equivalence classes [UT05]. 
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This allows for formal reasoning over objects with binding which is close to informal 
reasoning. One drawback of the nominal approach is that it does not provide a 
notion of substitution, and thus users must define their own substitution function 
and prove various properties relating to it. A proof of weak normalizability for the 
simply typed A-calculus has been conducted with the nominal package [NU08], and 
in this case a notion of simultaneous substitution is used. For the nominal approach, 
this extended notion of substitution can be defined directly since one works with a- 
equivalence classes and not higher-order terms as in our case. Additionally, the cost 
of defining and reasoning about simultaneous substitution is not a significant step 
up from what is already required for standard substitution in the nominal approach. 
The specification language for the nominal package is functions and predicates 
over a-equivalence classes. This language does not have a built-in notion of hy- 
pothetical judgments which are typically useful for describing structural rules over 
objects with binding. For example, by encoding the simply typed A-calculus in our 
specification language using hypothetical judgments for typing assumptions, we de- 
rive a type substitutivity property as consequence of general instantiation and cut 
properties of the logic, see Section 3. In the nominal approach, such a proof must 
be conducted manually. 

Twelf The Twelf system [PS99] uses LF terms and types for a specification lan- 
guage [HHP93] and the meta-logic A4^ [SchOO] for reasoning. The primary differ- 
ence between the Twelf approach and ours is that the A^2^ meta-logic is relatively 
weak in expressive power. For instance, it is restricted to 112 formulas (i.e., V3 
formulas) and lacks logical connectives such as conjunction, disjunction, and impli- 
cation. Despite these restrictions, the meta-logic is expressive enough for most com- 
mon reasoning tasks and has been very successful in practice. Another significant 
difference is that TMg^ is designed with an inherent notion of a global hypothetical 
context. Thus the meta-logic builds in some notion of which judgments can depend 
on assumptions of other judgments. This is less of a concern in our approach since 
each judgments has its own local context. 

Due to the 112 restriction of the meta-logic A^^, it is not possible to encode a 
direct proof of weak normalizability for the simply typed A-calculus using a logical 
relations argument. Recently, however, an indirect proof was completed using an 
intermediate assertion logic which has enough richness to encode the proper logical 
relation [SS08]. This is a useful technique for extending the expressive power of the 
Twelf system, but it comes with the cost of moving from a two-level logic approach 
to a three-level logic approach. 

Locally nameless The locally nameless representation for syntactic objects with 
binding is a first-order approach using de Bruijn indices for bound variables and 
names for free variables. This balance between two representational techniques 
has been used successfully in practice [ACP"''08]. Our approach to representation 
can be seen as a meta-level version of this balance where we use (meta-level) A- 
terms to represent explicitly bound variables and (meta-level) nominal constants 
for implicitly bound variables (i.e., free variables). With this understanding, the 
trade-off between the first-order and meta-level approaches to bound/free variable 
representation is that the former works with existing theorem provers while the 
latter has substitution and equivariance built-in. 
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